Policy —

Europe proposes a “right to be forgotten”

The European Commission has proposed a new set of data protection rules that …

European Union Justice Commissioner Viviane Reding has proposed a sweeping reform of the EU's data protection rules, claiming that the proposed rules will both cost less for governments and corporations to administer and simultaneously strengthen online privacy rights.

The 1995 Data Protection Directive already gives EU citizens certain rights over their data. Organizations can process data only with consent, and only to the extent that they need to fulfil some legitimate purpose. They are also obliged to keep data up-to-date, and retain personally identifiable data for no longer than is necessary to perform the task that necessitated collection of the data in the first place. They must ensure that data is kept secure, and whenever processing of personal data is about to occur, they must notify the relevant national data protection agency.

The new proposals go further than the 1995 directive, especially in regard to the control they give citizens over their personal information. Chief among the new proposals is a "right to be forgotten" that will allow people to demand that organizations that hold their data delete that data, as long as there is no legitimate grounds to hold it.

It's not 1995 anymore

The 1995 Directive was written in a largely pre-Internet era; back then, fewer than one percent of Europeans were Internet users. The proposed directive includes new requirements designed for the Internet age: EU citizens must be able to both access their data and transfer it between service providers, something that the commission argues will increase competition. Citizens will also have to give their explicit permission before companies can process their data; assumptions of permission won't be permitted, and systems will have to be private by default.

These changes are motivated in particular by the enormous quantities of personal information that social networking sites collect, and the practical difficulties that users of these services have in effectively removing that information. Reding says that the new rules "will help build trust in online services because people will be better informed about their rights and in more control of their information."

Where do the claimed savings come from? EU member states currently comply with the 1995 Directive, but each of the 27 states has interpreted and applied these rules differently. The European Commission argues that this incurs unnecessary administrative burdens on all those involved with handling data. The new mandate would create a single set of rules consistent across the entire EU, with projected savings for businesses of around €2.3 billion (US$2.98 billion) per year.

With rules streamlined throughout the trading bloc, companies would in turn only have to deal with the data protection authorities in their home country, rather than in every state in which they trade.

The new rules would also reduce the routine data protection notifications that businesses must currently send to national data protection authorities, allowing further savings of €130 million (US$169 million). However, organizations that handle data will have greater obligations in the event of data breaches: they will have to notify data protection authorities as soon as possible, preferably within 24 hours.

The rules will also apply to companies that process data abroad, if those companies serve the EU market and EU citizens.

Non-compliance will be punishable by the national data protection authorities, and they will be able to apply penalties of up to €1 million (US$1.3 million) or two percent of global annual turnover.

The proposal will undergo discussion in the European Parliament. Once the rules are adopted, they will take effect within two years.

A mixed response

Industry responses to the proposals have been varied. While the harmonization and reduction of routine notifications is welcomed, some have rubbished Reding's claim that the new directive will reduce costs. For example, the Business Software Alliance's European government affairs director, Thomas Boué said, "The Commission's proposal today errs too far in the direction of imposing prescriptive mandates for how enterprises must collect, store, and manage information."

Supporters of the new proposals argue that the new directive will force companies to do things that they should already be doing. Christian Toon, head of information security at document management firm Iron Mountain, says, "Many businesses of all sizes are falling short of what is required to manage information responsibly. [...] Regardless of turnover, sector or country of operation, making sure that employee and customer information is protected should be common practice, not a reaction to new legislation."

Indeed, many of the provisions of the new directive have similar counterparts in the existing directive, and others are features of national law of some, but not all, EU member states. For example, current law gives citizens the right to have inaccurate data about them corrected. In some countries, such as the UK, this extends to a right to have that inaccurate data deleted outright. In others, such as Belgium, Germany, and Sweden, it does not. The new rules would make that right to delete universal, and would make it apply even for accurate data that is no longer necessary.

This is the so-called "right to be forgotten". The proposal does not create a right to be thrown down the memory hole or rewrite the past; news reports and similar material would be a legitimate reason to retain personal information, and this would override a demand to have data deleted. But sites like Facebook—which has had difficulties with the concept of deletion—and Google would likely be required to purge any such personal data should someone demand that they do so.

A strict "opt-in" requirement for the use of personal data could make advertising-funded services that rely on that personal data to properly target advertisements difficult to operate. The requirement to report breaches in 24 hours might also be difficult to fulfil, since it can take much longer for a breach to even be detected.

The new rules would create an interesting predicament for a company like Google. The search giant has just announced its new privacy policy that enables it to collect and aggregate data from almost all Google services, with no provision to opt out or restrict the processing the company performs to private data. This is the opposite of the "private by default" policy that the proposed rules require, and the only way that Google users will attain that privacy is by not creating or using a Google account.

When asked about the impact of the new rules, a Google spokesperson told Ars: "We support simplifying privacy rules in Europe to both protect consumers online and stimulate economic growth. It is possible to have simple rules that do both. We look forward to debating the proposals over the coming months."

But still, this is not a fundamental shift in the demands placed on data-holding organizations. They must already be able to identify personal data, they must already store it securely, and they must already be able to provide it on-demand. Doing these things requires that systems are designed appropriately, and this can certainly incur costs—but they are costs that should already exist today.